iptables 高级学习笔记
iptables 是与最新的 2.6.x 版本 Linux 内核集成的 IP 信息包过滤系统。如果 Linux 系统连接到因特网或 LAN、服务器或连接 LAN 和因特网的代理服务器, 则该系统有利于在 Linux系统上更好地控制 IP 信息包过滤和防火墙配置。netfilter/iptables IP 信息包过滤系统是一种功能强大的工具,可用于添加、编辑和除去规则,这些规则是在做信息包过滤决定时,防火墙所遵循和组成的规则。这些规则存储在专用的信息包过滤表中,而这些表集成在 Linux 内核中。在信息包过滤表中,规则被分组放在我们所谓的链(chain)中。虽然 netfilter/iptables IP 信息包过滤系统被称为单个实体,但它实际上由两个组件 netfilter和 iptables 组成。netfilter 组件也称为内核空间(kernelspace),是内核的一部分,由一些信息包过滤表组成,这些表包含内核用来控制信息包过滤处理的规则集。iptables 组件是一种工具,也称为用户空间(userspace),它使插入、修改和除去信息包过滤表中的规则变得容易。netfilter/iptables 的最大优点是它可以配置有状态的防火墙。有状态的防火墙能够指定并记住为发送或接收信息包所建立的连接的状态。防火墙可以从信息包的连接跟踪状态获得该信息。在决定新的信息包过滤时,防火墙所使用的这些状态信息可以增加其效率和速度。netfilter/iptables 的另一个重要优点是,它使用户可以完全控制防火墙配置和信息包过滤。您可以定制自己的规则来满足您的特定需求,从而只允许您想要的网络流量进入系统。
filter point filter nat mangle
--------------------------------------------------------
INPUT x x
FORWARD x x
OUTPUT x x x
PREROUTING x x
POSTROUTING x x
[root@localhost ~]# which iptables
/sbin/iptables
[root@localhost ~]# rpm -qf `whichiptables`
iptables-1.3.5-5.3.el5_4.1
[root@localhost ~]# ls/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ ( ko 内核模块 kernel
object)
arptable_filter.ko ip_conntrack_tftp.ko iptable_nat.ko ipt_MASQUERADE.ko
arp_tables.ko ip_nat_amanda.ko iptable_raw.ko ipt_NETMAP.ko
arpt_mangle.ko ip_nat_ftp.ko ip_tables.ko ipt_owner.ko
ip_conntrack_amanda.ko ip_nat_h323.ko ipt_addrtype.ko ipt_recent.ko
ip_conntrack_ftp.ko ip_nat_irc.ko ipt_ah.ko ipt_REDIRECT.ko
ip_conntrack_h323.ko ip_nat.ko ipt_CLUSTERIP.ko ipt_REJECT.ko
ip_conntrack_irc.ko ip_nat_pptp.ko ipt_dscp.ko ipt_SAME.ko
ip_conntrack.ko ip_nat_sip.ko ipt_DSCP.ko ipt_TCPMSS.ko
ip_conntrack_netbios_ns.ko ip_nat_snmp_basic.ko ipt_ecn.ko ipt_tos.ko
ip_conntrack_netlink.ko ip_nat_tftp.ko ipt_ECN.ko ipt_TOS.ko
ip_conntrack_pptp.ko ip_queue.ko ipt_hashlimit.ko ipt_ttl.ko
ip_conntrack_proto_sctp.ko iptable_filter.ko ipt_iprange.ko ipt_TTL.ko
ip_conntrack_sip.ko iptable_mangle.ko ipt_LOG.ko ipt_ULOG.ko
RHEL6 模块不能加载到 RHEL5(回忆加载模块)
===============================================================================
iptables [-t table] -A chain rule-specification
-A, --append
iptables [-t table] -I chain[rulenum] rule-specification
-I, --insert
iptables [-t table] -D chain rulenum
-D, --delete
iptables [-t table] {-F|-L} [chain[rulenum]] [options...]
-F, --flush
-L, --list
iptables [-t table] -P chain target
-P, --policy
Rule :DROP,ACCEPT,LOG,REJECT
TARGETS
ACCEPT, DROP, QUEUE ,RETURN
TARGET EXTENSIONS DNAT,LOG, MASQUERADE, REJECT, SNAT ... ... ...
基于 ip 地址
=============================
匹配的标准
IP: -s 192.168.0.0/24
-d 192.168.0.1
NIC: -i eth0
-o eth1
!: -i eth0 ! -s 192.168.0.0/24
[root@localhost ~]# iptables -tfilter -A INPUT -s 192.168.2.0/24 -j DROP
[root@localhost ~]# iptables -I INPUT! -s 192.168.3.0/24 -j ACCEPT
[root@localhost ~]# iptables -I INPUT-i eth0 -j ACCEPT
[root@localhost ~]# service iptablessave
iptables:将防火墙规则保存到 /etc/sysconfig/iptables:
[确定]
基于服务端口号
==========================================================================
protocol port : -p tcp --dport 80
-p udp --sport 53
port range: 0:1024
ICMP: -p icmp --icmp-typehost-unreachable
[root@localhost ~]# iptables -A INPUT-s 192.168.2.1 -p tcp --dport 80 -j DROP
默认策略
-P <chain><ACCEPT|DROP|REJECT>
[root@localhost ~]# iptables -P INPUTACCEPT
刷新一个 table 的所有 rule
[root@localhost ~]# iptables -F
iptables -t filter -L
默认策略设置成 DROP
[root@localhost ~]# iptables -tfilter -P INPUT DROP
SSH 对方主机,要回包
[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --sport 22 -j ACCEPT
默认策略 DROP 要放行自己 lo
[root@localhost ~]# iptables -tfilter -A INPUT -i lo -j ACCEPT
-v 详细信息 -n 不解析(ip 解析到主机名 port 解析到协议) --line-numbers 显示条目数
[root@localhost ~]# iptables -tfilter -L -n -v --line-numbers
MATCH EXTENSION 扩展匹配
===============================================================
icmp
[root@localhost ~]# iptables -tfilter -I INPUT -p icmp -h
[root@localhost ~]# iptables -tfilter -I INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
[root@localhost ~]# iptables -tfilter -I INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
(默认策略 ACCEPT)
================================================================
connlimit :Allowsyou to restrict the number of parallel TCP connections to a server per
client IP address (or address block).同一个 IP 同时发起,最多 2 个连接
[root@localhost ~]# iptables -tfilter -A INPUT -s 172.16.1.0/24 -p tcp --syn --dport 22 -m
connlimit -h
[root@localhost ~]# iptables -tfilter -A INPUT -s 172.16.1.0/24 -p tcp --syn --dport 22 -m
connlimit --connlimit-above 2 -jACCEPT
=================================================================
iprange
[root@localhost ~]# echo 1 >/proc/sys/net/ipv4/ip_forward
[root@localhost ~]# iptables -tfilter -A FORWARD -m iprange --src-range 172.16.1.10-172.16.1.20
-j DROP
[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 80 -m iprange --src-range
172.16.1.10-172.16.1.20 -j DROP
==================================================================
length
[root@localhost ~]# ping -c 1 node1
PING node1.uplooking.com (172.16.1.1)56(84) bytes of data.
64 bytes from node1.uplooking.com(172.16.1.1): icmp_seq=1 ttl=64 time=1.25 ms
--- node1.uplooking.com pingstatistics ---
1 packets transmitted, 1 received, 0%packet loss, time 0ms
rtt min/avg/max/mdev =1.259/1.259/1.259/0.000 ms
56(数据)+20(IP 首部)+8(ICMP 首部)
[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -m length --length 50:100 -j DROP
[root@node1 ~]# ping 172.16.1.6
PING 172.16.1.6 (172.16.1.6) 56(84)bytes of data.
--- 172.16.1.6 ping statistics ---
5 packets transmitted, 0 received,100% packet loss, time 4010ms
[root@node1 ~]# ping -c 1 -s 50172.16.1.6
PING 172.16.1.6 (172.16.1.6) 50(78)bytes of data.
--- 172.16.1.6 ping statistics ---
1 packets transmitted, 0 received,100% packet loss, time 0ms
[root@node1 ~]# ping -c 1 -s 21172.16.1.6
PING 172.16.1.6 (172.16.1.6) 21(49)bytes of data.
29 bytes from 172.16.1.6: icmp_seq=1ttl=64 time=7.25 ms
-- 172.16.1.6 ping statistics ---
1 packets transmitted, 1 received, 0%packet loss, time 0ms
rtt min/avg/max/mdev = 7.255/7.255/7.255/0.000ms
==========================================================================
limit(洪水流量 洪水攻击)
[root@node1 ~]# ping 172.16.1.6
PING 172.16.1.6 (172.16.1.6) 56(84)bytes of data.
64 bytes from 172.16.1.6: icmp_seq=1ttl=64 time=0.304 m
64 bytes from 172.16.1.6: icmp_seq=2ttl=64 time=0.346 ms
64 bytes from 172.16.1.6: icmp_seq=3ttl=64 time=0.584 ms
3 packets transmitted, 3 received, 0%packet loss, time 2007ms
rtt min/avg/max/mdev =0.304/0.411/0.584/0.124 ms
[root@localhost]#iptables –t filter-A INPUT -s172.16.1.1 -p icmp -m limit --limit 10/minute -j
ACCEPT
[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -j DROP
--limit-burst number number to match in a burst,default 5
6 秒一个
前 5 个不限制 后每
===========================================================================
mac (局域网用 广域网不用)
[root@localhost ~]# iptables -tfilter -A INPUT [ -p icmp ] -m mac --mac 00:0C:29:24:44:0A -j
DROP
[root@localhost ~]# arping 172.16.1.1
ARPING 172.16.1.1 from 172.16.1.6eth0
Unicast reply from 172.16.1.1[00:0C:29:24:44:0A] 0.979ms
Unicast reply from 172.16.1.1[00:0C:29:24:44:0A] 1.122ms
Unicast reply from 172.16.1.1[00:0C:29:24:44:0A] 1.102ms
Unicast reply from 172.16.1.1[00:0C:29:24:44:0A] 0.949ms
Sent 4 probes (1 broadcast(s))
Received 4 response(s)
=============================================================================
multiport
[root@localhost ~]# iptables -tfilter -A INPUT -p tcp -m multiport --source-ports 22,80,21 -j
ACCEPT
state 基于链接状态
这里有四种有效状态,名称分别为 ESTABLISHED 、 INVALID 、 NEW 和 RELATED 。
NEW 意味着该信息包已经或将启动新的连接,或者它与尚未用于发送和接收信息包的连接相关联。
ESTABLISHED 指出该信息包属于已建立的连接,该连接一直用于发送和接收信息包并且完全有效。
RELATED 表示该信息包正在启动新连接,以及它与已建立的连接相关联。
INVALID 状态指出该信息包与任何已知的流或连接都不相关联,它可能包含错误的数据或头。
ICMP
PING ------->B
echo-request--------------------->
<---------------------echo-reply
NEW
ESTABLISHED
[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -m icmp --icmp-type echo-request -m state
--state NEW -j LOG --log-prefix" ICMP_NEW "
root@localhost ~]# iptables -t filter-A OUTPUT -p icmp -m icmp --icmp-type echo-reply -m state
--state ESTABLISHED -j LOG--log-prefix " ICMP_ESTABLISHED "
echo-request----------------------->
NEW
<----XXXXXXX------ RELATED
[root@localhost ~]# iptables -tfilter -A OUTPUT -p icmp -m icmp --icmp-type echo-request -m
state --state NEW -j LOG --log-prefix" ICMP_NEW "
[root@localhost ~]# iptables -tfilter -A INPUT -p icmp -m icmp --icmp-type host-unreachable -m
state --state RELATED -j LOG--log-prefix " ICMP_RELATED "
TCP
A B
------------SYN---------->
?------syn+ack-------
------------ack----------->
...
--------push+data----->
<-----------ack-----------
...
-------------fin----------->
<-----------ack-----------
<------------fin------------
-------------ack----------->
SYN ACK PUSH FIN URG(紧急) RST (重置)
PUSH-->推标记 对延迟/延时要求高,交互式服务 push 位
ACK ---> TCP 三次握手 四次挥手 确认/重传
FIN ---> 挥手
SYN ---> 三次握手
URG --->程序员写程序会用 应用程序决定用不用
RST ----> 访问一个没有开放的 port
node2 ------------ssh------------> node1 exit
[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 22 -m state --state NEW -j LOG
--log-prefix "INPUT_NEW_22"--log-tcp-option --log-ip-option
[root@node1 ~]# iptables -t filter -AOUTPUT -p tcp --sport 22 -m state --state NEW -j LOG
--log-prefix"OUTPUT_NEW_22" --log-tcp-option --log-ip-option
[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 22 -m state --state ESTABLISHED -j LOG
--log-prefix "INPUT_ESTABLISHED_22"--log-tcp-option --log-ip-option
[root@node1 ~]# iptables -t filter -AOUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j
LOG --log-prefix"OUTPUT_ESTABLISHED_22" --log-tcp-option --log-ip-option
A-------------->B 80
<------RST----- B 没有开放 80
[root@localhost ~]# service httpdstatus
httpd: unrecognized service
[root@localhost ~]# tcpdump -i eth0host 172.16.1.1 and port 80 -nn
tcpdump: verbose output suppressed,use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes
23:37:30.389821 IP 172.16.1.1.59535> 172.16.1.6.80: S 4240260197:4240260197(0) win 5840
<mss 1460,sackOK,timestamp134373116 0,nop,wscale 3>
23:37:30.390652 IP 172.16.1.6.80 >172.16.1.1.59535: R 0:0(0) ack 4240260198 win 0
23:37:30.390147 IP 172.16.1.1.59536> 172.16.1.6.80: S 4243179156:4243179156(0) win 5840
<mss 1460,sackOK,timestamp134373117 0,nop,wscale 3>
23:37:30.390232 IP 172.16.1.6.80 >172.16.1.1.59536: R 0:0(0) ack 4243179157 win 0
23:37:30.390454 IP 172.16.1.1.59537> 172.16.1.6.80: S 4239605108:4239605108(0) win 5840
<mss 1460,sackOK,timestamp134373117 0,nop,wscale 3>
23:37:30.390509 IP 172.16.1.6.80 >172.16.1.1.59537: R 0:0(0) ack 4239605109 win 0
nmap -sA -p 扫描端口
A:ack
s:scan
A-------ACK------->B 80 NEW
<-------RST--------
ESTABLISHED
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 80 -m state --state NEW -j LOG
--log-prefix " NEW_ACK "--log-tcp-options --log-ip-options
[root@localhost ~]# iptables -tfilter -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j
LOG --log-prefix "ESTABLISHED_RST " --log-tcp-options --log-ip-options
[root@localhost ~]# >/var/log/kernel.log
[root@node2 ~]# nmap -sA -p 80 172.16.1.6
[root@localhost
Mar 14 00:14:03 localhost kernel: NEW_ACK IN=eth0 OUT=
MAC=00:0c:29:30:c1:b6:00:0c:29:9f:ce:10:08:00 SRC=172.16.1.2 DST=172.16.1.6 LEN=40
TOS=0x00 PREC=0x00 TTL=53 ID=35327PROTO=TCP SPT=57765 DPT=80 WINDOW=2048
RES=0x00 ACK URGP=0
Mar 14 00:14:03 localhostkernel: ESTABLISHED_RST IN= OUT=eth0SRC=172.16.1.6
DST=172.16.1.2 LEN=40 TOS=0x00PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=57765
WINDOW=0 RES=0x00 RST URGP=0
nmap -sF IP 对方不开端口回 RST+ACK
A--------FIN-------> B INVALID
<----RST+ACK----- INVALID
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 80 -m state --state INVALID -j LOG
--log-prefix " INVALID_FIN" --log-tcp-options --log-ip-options
[root@localhost ~]# iptables -tfilter -A OUTPUT -p tcp --sport 80 -m state --state INVALID -j LOG
--log-prefix " INVALID_RST_ACK" --log-tcp-options --log-ip-options
[root@localhost ~]# >/var/log/kernel.log
[root@node2 ~]# nmap -sF -p 80172.16.1.6
[root@localhost ~]# cat/var/log/kernel.log
Mar 14 00:20:11 localhost kernel: INVALID_FIN IN=eth0 OUT=
MAC=00:0c:29:30:c1:b6:00:0c:29:9f:ce:10:08:00 SRC=172.16.1.2 DST=172.16.1.6 LEN=40
TOS=0x00 PREC=0x00 TTL=58 ID=19723PROTO=TCP SPT=61490 DPT=80 WINDOW=3072
RES=0x00 FIN URGP=0
Mar 14 00:20:11 localhostkernel: INVALID_RST_ACK IN= OUT=eth0SRC=172.16.1.6
DST=172.16.1.2 LEN=40 TOS=0x00PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=61490
WINDOW=0 RES=0x00 ACK RST URGP=0
iptables -t filter -A INPUT -p tcp -mstate --state INVALIED -j DROP
INVALID 必须 DROP 掉,放行 NEW 状态+SYN 标记
默认策略 DROP
方法 1:iptables-t filter -A INPUT -p tcp --dport 80 -j ACCEPT
方法 2:iptables-t filter -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
方法 3:iptables-t filter -A INPUT -p tcp --syn --dport 80 -m state --state NEW -j ACCEPT
方法4: iptables -t filter -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED-j ACCEP
FTP
A 1029----------syn-----------> B 21 NEW
<-------syn+ack--------- ESTABLISHED
-----------ack----------> ESTABLISHED
1030 ----------syn----------> B5000
NEW/RELATED modprobe ip_contrack_ftp 有了这
个模块被识别为 RELATED
ESTABLISHED
------------ack--------->
ESTABLISHED
[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 21 -m state --state NEW -j LOG
--log-prefix " in_21_new "--log-ip-options --log-tcp-options
[root@node1 ~]# iptables -t filter -AINPUT -p tcp --dport 21 -m state --state ESTABLISHED -j LOG
--log-prefix " in_21_es "--log-ip-options --log-tcp-options
[root@node1 ~]# iptables -t filter -AINPUT -p tcp -m state --state RELATED -jLOG --log-prefix "
in_21_RE " --log-ip-options--log-tcp-options
UDP
A------------->B port 12345
<--------------
ESTABLISHED
--------------> NEW
<--------------- ESTABLISHED
A 到 BNEW B 到 A ES
[root@node1 ~]# iptables -t filter -AINPUT -p udp --dport 12345 -m state --state NEW -j LOG
--log-prefix " IN_12345_NEW"
[root@node1 ~]# iptables -t filter -AINPUT -p udp --dport 12345 -m state --state ESTABLISHED -j
LOG --log-prefix " IN_12345_ES"
[root@node1 ~]# iptables -t filter -AOUTPUT -p udp --sport 12345 -m state --state ESTABLISHED -j
LOG --log-prefix " OUT_12345_ES"
[root@node1 ~]# iptables -t filter -AOUTPUT -p udp --sport 12345 -m state --state NEW -j LOG
--log-prefix " OUT_12345_NEW"
[root@node1 ~]# iptables -t filter -AINPUT -s 192.168.0.202 -p udp --dport 53 -m state --state
NEW -j LOG --log-prefix "IN_53_NEW "
[root@node1 ~]# iptables -t filter -AINPUT -s 192.168.0.202 -p udp --dport 53 -m state --state
ESTABLISHED -j LOG --log-prefix" IN_53_ES "
[root@node1 ~]# iptables -t filter -AOUTPUT -d 192.168.0.202 -p udp --sport 53 -m state --state
NEW -j LOG --log-prefix "OUT_53_NEW "
[root@node1 ~]# iptables -t filter -AOUTPUT -d 192.168.0.202 -p udp --sport 53 -m state --state
ESTABLISHED -j LOG --log-prefix" OUT_53_ES
UDP 每次发数据包 NEW
对方没有回应的服务,回包 udp port-unreachable
RELATED
A------------->B port 12345(端口未开放) NEW
<-------------- icmp port-unreachable RELATED
nc (网络连接) -u (udp,不加-u,TCP) 自己 IP -l 端口 (不加-l,就写端口,连接别人端口)
不接收远端日志
[root@node1 ~]# tcpdump -i eth0 -nnhost node2
tcpdump: verbose output suppressed,use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes
19:26:16.309934 IP 192.168.0.202.514> 192.168.0.201.514: SYSLOG user.notice, length: 18
19:26:16.419374 IP 192.168.0.201 >192.168.0.202: ICMP 192.168.0.201 udp port 514
unreachable, length 54
==============================================================================
ttl
[root@node1 ~]# iptables -t filter -AINPUT -s 192.168.0.202 -m ttl --ttl-eq64 -j DROP
[root@node1 ~]# cat/proc/sys/net/ipv4/ip_default_ttl
64
iptables -m ttl -h
[root@node2 ~]# echo 128 >/proc/sys/net/ipv4/ip_default_ttl
[root@node2 ~]# ping 192.168.0.201 -c1
[root@node1 ~]# tcpdump -i eth0 -nnvhost 192.168.0.202
tcpdump: listening on eth0, link-typeEN10MB (Ethernet), capture size 96 bytes
20:07:11.305825 IP (tos 0x0, ttl 128,id 0, offset 0, flags [DF], proto: ICMP (1), length: 84)
192.168.0.202 > 192.168.0.201:ICMP echo request, id 1806, seq 1, length 64
20:07:11.305880 IP (tos 0x0, ttl 64, id 47246, offset 0, flags [none], proto:ICMP (1), length: 84)
192.168.0.201 > 192.168.0.202:ICMP echo reply, id 1806, seq 1, length 64
===============================================================================
tos type of service
iptables -m tos -h
tos 0 一般服务(大多数,可以抓包看)
tos 2 最小开销服务 没有
tos 4 最大可靠性 没有
tos 8 最大吞吐量
下载 ftp 20
tos 16 最小延时 tcp pushtelnet ssh ftp 2
抓包发现
ssh tos 0
16
scp tos 0 8
scp 可以 ssh 不行
iptables -A INPUT -p tcp --dport 22-m tos 16 -j DROP
DROP/REJECT
===================================
[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 22 -j DROP
[root@localhost ~]# tcpdump -i eth0-nn host 172.16.1.1 and port 22
tcpdump: verbose output suppressed,use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes
23:03:53.029197 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0) win 5840
<mss 1460,sackOK,timestamp165299736 0,nop,wscale 3>
23:03:56.110705 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0) win 5840
<mss 1460,sackOK,timestamp165302737 0,nop,wscale 3>
23:04:02.123340 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0) win 5840
<mss 1460,sackOK,timestamp165308737 0,nop,wscale 3>
23:04:14.139680 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0) win 5840
<mss 1460,sackOK,timestamp165320737 0,nop,wscale 3>
23:04:38.468138 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0) win 5840
<mss 1460,sackOK,timestamp165344738 0,nop,wscale 3>
23:05:27.726803 IP 172.16.1.1.45313> 172.16.1.6.22: S 2666911189:2666911189(0) win 5840
<mss 1460,sackOK,timestamp165392738 0,nop,wscale 3>
[root@localhost ~]# iptables -tfilter -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
[root@localhost ~]# tcpdump -i eth0-nn host 172.16.1.1 and port 22
tcpdump: verbose output suppressed,use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB(Ethernet), capture size 96 bytes
23:10:05.690273 IP 172.16.1.1.44300> 172.16.1.6.22: S 3060689565:3060689565(0) win 5840
<mss 1460,sackOK,timestamp165668951 0,nop,wscale 3>
23:10:05.690645 IP 172.16.1.6.22 >172.16.1.1.44300: R 0:0(0) ack 3060689566 win 0
==============================================================================
网络地址转换(NAT,Network Address Translation)属接入广域网(WAN)技术,是一种将私有(保留)地址转化为合法 IP 地址的转换技术,它被广泛应用于各种类型 Internet 接入方式和各种类型的网络中。原因很简单,NAT 不仅完美地解决了 IP 地址不足的问题,而且还能够有效地避免来自网络外部的攻击,隐藏并保护网络内部的计算机。
透明转发
Client<------------------------------------->NAT Server <----------------------------------> WEB Server
192.168.1.1 192.168.1.2-----1.1.1.1 1.1.1.2
Clinet: route add default gw192.168.1.254 dev eth0
NAT Server: echo 1 >/proc/sys/net/ipv4/ip_forward
WEB Server: route add default gw1.1.1.1 dev eth0
SNAT 公司上网
Client<------------------------------------->NAT Server <------------------------------------> WEB Server
192.168.1.1 eth0:192.168.1.254 eth1:1.1.1.1 1.1.1.2
Clinet: route add default gw192.168.1.254 dev eth0
NAT Server: echo 1 >/proc/sys/net/ipv4/ip_forward
NAT Server: iptables -t nat -A POSTROUTING-p tcp --dport 80 -j SNAT --to-source 1.1.1.1
NAT Server: iptables -t nat -APOSTROUTING -o eth0 -j MASQUERADE (适用于 DHCP)
DNAT 发布内网的一台服务器
WEBServer<----------------------------------> NAT Server<--------------------------------> Client
192.168.1.1 eth0:192.168.1.254 eth1:1.1.1.1 1.1.1.2
WEB Server: route add default gw192.168.1.254 dev eth0
NAT Server: iptables -t nat -APREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to-des
192.168.1.1:80
iptables -t nat -A PREROUTING -p tcp--dport 80 -j REDIRECT --to-ports 3128
端口地址重定向 透明代理用的规则
===============================================================================
mark 打标记 用 mangle 表
iptables -t mangle -A PREROUTING -mttl --ttl-eq 64 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -mttl --ttl-eq 123 -j MARK --set-mark 20
iptables -t filter -A FORWARD -m mark--mark 10 -j ACCEPT
iptables -t filter -A FORWARD -m mark--mark 20 -j DROP
打标记的位置很重要
表优先级 mangle --------> nat ------>filter